Common mistakes computer security professionals make

IT managers are looking for ways to improve application delivery and performance to enable their workforce to access critical data from any location at any time, without sacrificing security.

Slow, unreliable application response times, caused by distance and latency, can degrade workforce productivity, erode customer service and, ultimately, inhibit business growth. Often, IT organizations are forced to compromise flexibility, security or cost- effectiveness in order to get better performance.

As a result, IT managers are looking for ways to improve application delivery and performance to enable their workforce to access critical data from any location at any time, without sacrificing security. The goal is to consolidate critical data while fostering seamless communications and collaboration and ensuring that everyone is working from a consistent set of data in real time.

If you can get past these six common computer security misconceptions, you’ll be a far better computer security defender than the person who did not. Don’t believe me? Test it out.

1. Believing you’re fully patched

We all know that just about every organization contains unpatched software. I’m not talking about that. We are talking about the personal computers that security professionals use themselves.

The majority of security professionals, when asked if they are fully patched, show me the results of their Windows Update scan. Almost all the remaining ones show me the results of their favorite independent patch-checking program.

Apparently they don’t realize how inaccurate even the best of those programs are. They catch the popular, most exploited stuff, but they all miss things. Most don’t check firmware or BIOS versions, for example, even though they easily could — and new versions often plug serious security holes.

When we do a manual survey, we always find software programs the patch-checking program didn’t look for. How? We look for every installed program, not just by checking the OS’s installed applications list, but also by clicking my way through folders and directories. Along the way, record the software versions. Some are not so obvious, so you have to look at the date of executables and DLLs.

Then we open up CVE (Common Vulnerabilities and Exposures) database and compare list with what’s listed in the CVE database. We always find unpatched software.

2. Worrying about the wrong threats

Many computer security professionals seem overly worried about obscure threats that are far lower risk in their environments than the really big threats they are facing. We love talking about theoretical exploits as much as the next guy, but when planning a security defense, you need to address the most likely threats.

We can talk about the threat that cryptographic hash function SHA-1 may be susceptible to versus SHA-2, but your defense would be better if we talked about how to improve your patching. We can discuss the benefits of biometric identities over smartcards if you want, but decreasing the number of full-time administrator accounts in your environment would do wonders. And so on.

3. Miseducating end users

In most workplaces, users get the same stale old advice: Avoid visiting untrusted Web sites, and don’t open email attachments from people you don’t know.

Here’s what you should be telling them: The websites you visit every day are likely to be compromised, so never install software offered to you over the Web unless you’re 100 percent sure that it’s from a legitimate vendor.

Plus, users must be told never to click on unexpected links or run active content sent by anyone, including people they know. If the email contains a statement, “This email has been inspected and is 100 percent virus free,” almost certainly what it contains is malicious. We need to teach our end users better about phishing and social engineering and what steps they can take to verify any suspected email or Web offer.

4. Neglecting to convey the right concerns to management

Often, security professionals fail to tell senior management about the biggest and most likely threats facing the organization. Most CIOs, CISOs, and CEOs can’t tell you what the biggest threats are to their environments even though they are spending millions of dollars a year trying to defend it.

Once again, you can blame security professionals themselves. We don’t collect the right metrics. We report on the number of computer malware programs detected and removed or on the number of unauthorized packets blocked by the firewall, but not on the number of malware programs that went undetected and for how long. We need to start figuring out what are the biggest and most likely threats to our environment, and how those threats are getting into our environment, and then send that information up the chain.

5. Failing to rebuild compromised computers

If a computer system has been compromised, you can no longer trust it. You have no idea what the unauthorized program did (even if it’s identified as adware or some other nearly-harmless program). If a program gets by the computer’s defenses, attacks by multiple programs or hackers may have occurred. Frequently, when an anti-malware scanner says you are now clean, there’s some other undetected, false-negative, malware program left behind.

The hard truth is that if a computer has been exploited, it needs to be rebuilt. The data should already have been backed up. Format or reset the OS, reinstall programs, reconnect the network drives, and begin again. This assumes, of course, that you’ve corrected the problem that allowed the malware into the original compromised system in the first place.

6. Accepting conventional wisdom

The world is full of computer security people who repeat the same old tired lines — such as “security by obscurity is no security at all” — without really questioning whether they’re true. The moral: Test things for yourself.